Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:28
Static task
static1
Behavioral task
behavioral1
Sample
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
Resource
win10v2004-20240508-en
General
-
Target
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
-
Size
66KB
-
MD5
49fbfdd2a04dbf9c0c4550d0bb4763e3
-
SHA1
d9d5ed726dd707da03ba6edfb4bd8e73e53599ba
-
SHA256
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034
-
SHA512
12dcfce9b2d2fe6d9706d8cf042ef94b5201949314dda266b1dfc9e0f4673431f1757ff3366cb759650fce28e104c3dda7b6ccb2379874f6c58f668b471e3382
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXic:IeklMMYJhqezw/pXzH9ic
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2788 explorer.exe 764 spoolsv.exe 3052 svchost.exe 3704 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe 3052 svchost.exe 3052 svchost.exe 2788 explorer.exe 2788 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2788 explorer.exe 3052 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 2788 explorer.exe 2788 explorer.exe 764 spoolsv.exe 764 spoolsv.exe 3052 svchost.exe 3052 svchost.exe 3704 spoolsv.exe 3704 spoolsv.exe 2788 explorer.exe 2788 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2788 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 93 PID 1580 wrote to memory of 2788 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 93 PID 1580 wrote to memory of 2788 1580 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 93 PID 2788 wrote to memory of 764 2788 explorer.exe 94 PID 2788 wrote to memory of 764 2788 explorer.exe 94 PID 2788 wrote to memory of 764 2788 explorer.exe 94 PID 764 wrote to memory of 3052 764 spoolsv.exe 95 PID 764 wrote to memory of 3052 764 spoolsv.exe 95 PID 764 wrote to memory of 3052 764 spoolsv.exe 95 PID 3052 wrote to memory of 3704 3052 svchost.exe 96 PID 3052 wrote to memory of 3704 3052 svchost.exe 96 PID 3052 wrote to memory of 3704 3052 svchost.exe 96 PID 3052 wrote to memory of 3488 3052 svchost.exe 97 PID 3052 wrote to memory of 3488 3052 svchost.exe 97 PID 3052 wrote to memory of 3488 3052 svchost.exe 97 PID 3052 wrote to memory of 3516 3052 svchost.exe 118 PID 3052 wrote to memory of 3516 3052 svchost.exe 118 PID 3052 wrote to memory of 3516 3052 svchost.exe 118 PID 3052 wrote to memory of 1864 3052 svchost.exe 127 PID 3052 wrote to memory of 1864 3052 svchost.exe 127 PID 3052 wrote to memory of 1864 3052 svchost.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3704
-
-
C:\Windows\SysWOW64\at.exeat 03:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3488
-
-
C:\Windows\SysWOW64\at.exeat 03:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3516
-
-
C:\Windows\SysWOW64\at.exeat 03:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1864
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:81⤵PID:412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ddf4433b389973025de3e412b760b81b
SHA199bb1f0a34b4fc8df1d80097eb430bac4be70a9c
SHA256a607440e6bb516d11c49eb1e3b5f28b32309781e6c3ca65382ff65675b84cbd9
SHA51296f151d736c2d419d4b7e1adc61a62eb6ea5ce04b03dc025a7aba5b4ed8b460d15b8ded3b48c5f78a365a92bec97428a88ed02a0fcae3181ca830883fb36075b
-
Filesize
66KB
MD500ed6ae2223e51eb6d9fc5c0d8455c5d
SHA1393420230588946e9538431379700f55c379418e
SHA2564b79b89c96f158801fbaad533e80930d3244a9c2820a3c3e94ff74d352412017
SHA512b501a9de506ff0457ab0b3b7ca5cbc5d3f7e6ca178ebe087e98780597a379df28bf901998812bba9a7d4af62905ecfaee2f884b1b36df4ba75ad6a59b8048af2
-
Filesize
66KB
MD553db99230e51066681f2344d9bc8e76f
SHA1c4b02472c8b76565ad4bf9317859892fc537df5d
SHA256cc66bdad88b36eaf5b89fb6a57a23261bd009ddb5121e6b9972692203afaabfb
SHA512c1f9d2eece1a63c11850b48a3b84649b704e38d193044392b6aecee9259f6f6c946f6054eb11186655830979d9295ad11df4b520139bc20b6084d489f42b236e
-
Filesize
66KB
MD58b05219e34e432054b9a68a4c90fc145
SHA1f3248725de1176b9ce4ab02fd0cbd6a31900df7f
SHA256995e701f5c5714433d3975add56aca268290bacb59d4fcc179ce61559398d43c
SHA512204e68712829704dff97e53e89692f53758d1669863d8b825d727294dc47508a13840da484a20d783da724a183f2c9871dea897faf0254a2eef43ddb94ecfc64